Machine authentication

jarek jarek at poczta.srv.pl
Tue Aug 12 02:28:59 EDT 2014


Thanks!

Dnia 2014-08-09, sob o godzinie 16:20 +0100, Dameon Wagner pisze:
> On Sat, Aug 09 2014 at 00:41:07 -0400, Greg Hudson scribbled
>  in "Re: Machine authentication":
> > On 08/08/2014 03:37 AM, jarek wrote:
> > > 	Is it possible to receive ticket for host principal and use
> > > 	this ticket for authentication ?
> > 
> > Yes.  Normally this is done using a keytab, in one of three ways:
> > 
> > * krb5_get_init_creds_keytab from the application code.
> > 
> > * kinit -k from the command line.  (This will only work until the
> > resulting tickets expire.)
> > 
> > * Client keytab initiation (new in MIT krb5 1.11).  Set the
> > environment variable KRB5_CLIENT_KTNAME to FILE:/path/to/keytab, and
> > set KRB5CCNAME to FILE:/some/path/writable/by/daemon/process.  Don't
> > create the ccache.  The GSS application will create it automatically
> > using the keytab, and will refresh it when needed.
> 
> Another option that sits somewhere between options 2 and 3 is to use
> Russ' very useful k5start tool [0] which will "Obtain and optionally
> keep active a Kerberos v5 ticket" by creating a CCache and renewing it
> when necessary.  The page [0] explains it all better than I can, so
> probably best to just give it a read through.
> 
> Cheers.
> 
> Dameon.
> 
> [0](http://www.eyrie.org/~eagle/software/kstart/)
> 




More information about the Kerberos mailing list